coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 45 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 45 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 41 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 41 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 14 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 19 additions & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 19 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 14 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/querier.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 18 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/database/queries/roles.sql
Lines changed: 7 additions & 0 deletions b/‎coderd/database/queries/roles.sql
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/httpapi/httpapi.go
Lines changed: 13 additions & 1 deletion b/‎coderd/httpapi/httpapi.go
Lines changed: 13 additions & 1 deletion
diff --git a/‎codersdk/roles.go
Lines changed: 14 additions & 0 deletions b/‎codersdk/roles.go
Lines changed: 14 additions & 0 deletions
@@ -958,6 +958,20 @@ func (q *querier) DeleteCoordinator(ctx context.Context, id uuid.UUID) error {
 	return q.db.DeleteCoordinator(ctx, id)
 }
 
+func (q *querier) DeleteCustomRole(ctx context.Context, arg database.DeleteCustomRoleParams) error {
+	if arg.OrganizationID.UUID != uuid.Nil {
+		if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceAssignOrgRole.InOrg(arg.OrganizationID.UUID)); err != nil {
+			return err
+		}
+	} else {
+		if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceAssignRole); err != nil {
+			return err
+		}
+	}
+
+	return q.db.DeleteCustomRole(ctx, arg)
+}
+
 func (q *querier) DeleteExternalAuthLink(ctx context.Context, arg database.DeleteExternalAuthLinkParams) error {
 	return fetchAndExec(q.log, q.auth, policy.ActionUpdatePersonal, func(ctx context.Context, arg database.DeleteExternalAuthLinkParams) (database.ExternalAuthLink, error) {
 		//nolint:gosimple
 
@@ -1381,6 +1381,25 @@ func (*FakeQuerier) DeleteCoordinator(context.Context, uuid.UUID) error {
 	return ErrUnimplemented
 }
 
+func (q *FakeQuerier) DeleteCustomRole(_ context.Context, arg database.DeleteCustomRoleParams) error {
+	err := validateDatabaseType(arg)
+	if err != nil {
+		return err
+	}
+
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	initial := len(q.data.customRoles)
+	q.data.customRoles = slices.DeleteFunc(q.data.customRoles, func(role database.CustomRole) bool {
+		return role.OrganizationID.UUID == arg.OrganizationID.UUID && role.Name == arg.Name
+	})
+	if initial == len(q.data.customRoles) {
+		return sql.ErrNoRows
+	}
+	return nil
+}
+
 func (q *FakeQuerier) DeleteExternalAuthLink(_ context.Context, arg database.DeleteExternalAuthLinkParams) error {
 	err := validateDatabaseType(arg)
 	if err != nil {
 
@@ -25,6 +25,13 @@ WHERE
   END
 ;
 
+-- name: DeleteCustomRole :exec
+DELETE FROM
+	custom_roles
+WHERE
+	name = lower(@name)
+	AND organization_id = @organization_id
+;
 
 -- name: UpsertCustomRole :one
 INSERT INTO
 
@@ -106,12 +106,24 @@ func Is404Error(err error) bool {
 		return false
 	}
 
+	// This tests for dbauthz.IsNotAuthorizedError and rbac.IsUnauthorizedError.
+	if IsUnauthorizedError(err) {
+		return true
+	}
+	return xerrors.Is(err, sql.ErrNoRows)
+}
+
+func IsUnauthorizedError(err error) bool {
+	if err == nil {
+		return false
+	}
+
 	// This tests for dbauthz.IsNotAuthorizedError and rbac.IsUnauthorizedError.
 	var unauthorized httpapiconstraints.IsUnauthorizedError
 	if errors.As(err, &unauthorized) && unauthorized.IsUnauthorized() {
 		return true
 	}
-	return xerrors.Is(err, sql.ErrNoRows)
+	return false
 }
 
 // Convenience error functions don't take contexts since their responses are
 
@@ -105,6 +105,20 @@ func (c *Client) PatchOrganizationRole(ctx context.Context, role Role) (Role, er
 	return r, json.NewDecoder(res.Body).Decode(&r)
 }
 
+// DeleteOrganizationRole will delete a custom organization role
+func (c *Client) DeleteOrganizationRole(ctx context.Context, organizationID uuid.UUID, roleName string) error {
+	res, err := c.Request(ctx, http.MethodDelete,
+		fmt.Sprintf("/api/v2/organizations/%s/members/roles/%s", organizationID.String(), roleName), nil)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusNoContent {
+		return ReadBodyAsError(res)
+	}
+	return nil
+}
+
 // ListSiteRoles lists all assignable site wide roles.
 func (c *Client) ListSiteRoles(ctx context.Context) ([]AssignableRoles, error) {
 	res, err := c.Request(ctx, http.MethodGet, "/api/v2/users/roles", nil)